Re: Last Call: draft-saintandre-tls-server-id-check (Representation and Verification of Domain-Based Application Service Identity in Certificates Used with Transport Layer Security) to Proposed Standard

Thu, 29 Jul 2010 20:44:36 -0700 

Peter,

I'm not sure if this one is already on your list or not, but I
didn't see it addressed in -08:

I don't think the characterization of SRV-ID as an "indirect"
(ie. DNS resolved) identifier is correct.

Whether a subject name is indirect or not, depends on the content
of the identifier field and how that content was obtained, rather 
than on the identifier type itself.

In most cases, indirect identifiers will be found in DNS-ID or CN-ID, 
as a result of DNS resolution of SRV, CNAME, or other records. If an 
application is trying to authenticate such identities, then the 
document needs to clearly state under what conditions it is safe to 
do so (DNSSEC, or a static mapping rule in the client). The document
does touch on safe derivation rules later (currently in 4.2). But the
direct/indirect classification of identity types needs to be 
corrected (or just eliminated).

I said some more here:

    http://www.ietf.org/mail-archive/web/certid/current/msg00220.html

-- 
Shumon Huque
University of Pennsylvania.


On Fri, Jul 23, 2010 at 09:25:43AM -0600, Peter Saint-Andre wrote:
> Sorry, I haven't yet had a chance to review the feedback that's been
> provided during this Last Call. I'll do that en route to Maastricht
> today. Next week Jeff and I will discuss in person the points that have
> been raised, and then we'll post further regarding our proposed changes
> to the spec.
> 
> Peter
> 
> On 7/15/10 5:08 PM, The IESG wrote:
> > The IESG has received a request from an individual submitter to consider 
> > the following document:
> > 
> > - 'Representation and Verification of Domain-Based Application Service 
> >    Identity in Certificates Used with Transport Layer Security '
> >    <draft-saintandre-tls-server-id-check-08.txt> as a Proposed Standard
> > 
> > The IESG plans to make a decision in the next few weeks, and solicits
> > final comments on this action.  Please send substantive comments to the
> > ietf@ietf.org mailing lists by 2010-08-12. Exceptionally, 
> > comments may be sent to i...@ietf.org instead. In either case, please 
> > retain the beginning of the Subject line to allow automated sorting.
> > 
> > The file can be obtained via
> > http://www.ietf.org/internet-drafts/draft-saintandre-tls-server-id-check-08.txt
> > 
> > 
> > IESG discussion can be tracked via
> > https://datatracker.ietf.org/public/pidtracker.cgi?command=view_id&dTag=18634&rfc_flag=0
> > 
> > _______________________________________________
> > IETF-Announce mailing list
> > ietf-annou...@ietf.org
> > https://www.ietf.org/mailman/listinfo/ietf-announce
> _______________________________________________
> Ietf mailing list
> Ietf@ietf.org
> https://www.ietf.org/mailman/listinfo/ietf

-- 
Shumon Huque
University of Pennsylvania.
_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf

Reply via email to